System and method for software tamper detection

US 20070067643A1
Filed: 09/21/2005
Published: 03/22/2007
Est. Priority Date: 09/21/2005
Status: Abandoned Application

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for detecting modification of a software component, the computer-executable instructions enabling actions comprising:

receiving first portion of a decryption key;

determining an integrity value associated with the software component;

combining the first portion of the decryption key with the integrity value to generate the decryption key;

employing the generated decryption key to attempt to decrypt content; and

if the integrity value indicates that the software component is unmodified and the generated decryption key is properly generated, successfully decrypting the content.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and apparatus are directed towards detecting unauthorized modification of software, such as virtual smart card software. An analysis is performed on the software to generate a unique pattern that is based on the integrity of the software. The pattern is generated using various portions of the software code. In one embodiment, matrix manipulations that involve a sequence of randomly selected matrix operations are performed on extracted portions of the software code. Sample sizes of the software code, sizes of the matrices, and other initialization parameters may be selected based on a desired security level. The resulting pattern may then be compared to a known normal pattern for the software to detect unauthorized modification. In one embodiment, however, the resulting pattern may be algorithmically combined with another value. The resulting combination may be used to decrypt content, if the software has not been modified.

125 Citations

View as Search Results

28 Claims

1. A computer-readable medium having computer-executable instructions for detecting modification of a software component, the computer-executable instructions enabling actions comprising:
- receiving first portion of a decryption key;
  
  determining an integrity value associated with the software component;
  
  combining the first portion of the decryption key with the integrity value to generate the decryption key;
  
  employing the generated decryption key to attempt to decrypt content; and
  
  if the integrity value indicates that the software component is unmodified and the generated decryption key is properly generated, successfully decrypting the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-readable medium of claim 1, wherein the first portion of the decryption key is encrypted.
  - 3. The computer-readable medium of claim 1, wherein determining the integrity value associated with the software component further comprises determining a checksum associated with at least a portion of the software component.
  - 4. The computer-readable medium of claim 1, wherein determining the integrity value associated with the software component further comprises determining a value based on a sequence of mathematical operations using at least a portion of the software component.
  - 5. The computer-readable medium of claim 1, wherein determining the integrity value associated with the software component further comprises:
    - determining a key matrix based, in part, on a desired security level;
      
      parsing the software component into sample size matrices (SSM);
      
      multiplying each SSM with its matrix transform (SSMT) to generate a quadratic symmetric matrix (M) for each SSM;
      
      performing at least one arithmetic matrix operation between each quadratic symmetric matrix and the key matrix to generate another key matrix; and
      
      employing the other key matrix as the integrity value for the software component.
  - 6. The computer-readable medium of claim 5, wherein the at least one arithmetic matrix operation is randomly determined from at least one of a matrix addition, subtraction, or multiplication.
  - 7. The computer-readable medium of claim 5, wherein determining the key matrix further comprises determining the key matrix'"'"'s elements based, in part, on a number generator, and wherein a size of the key matrix is based on a desired probability of detecting a pattern.
  - 8. The computer-readable medium of claim 5, wherein parsing the software component into sample size matrices (SSM) further comprises parsing the software component into a number of subset matrices of at least one of a static length or a dynamic length.

9. A method of detecting a modification of a software component, the method comprising:
- determining a data preparation set of parameters (DPS) based, in part, on a desired security level, wherein the DPS includes a key matrix;
  
  performing, at a server device, an integrity determination upon the software component residing on the server using the DPS to generate a prototype pattern;
  
  providing the DPS to a client device;
  
  performing, at the client device, the integrity determination upon a copy the software component residing on the client device using the DPS to generate a pattern;
  
  comparing the prototype pattern to the pattern to determine whether a modification of the copy of the software component is detected, and if a modification of the copy of the software component is detected, performing a detection action.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein comparing the prototype pattern to the pattern further comprises sending the pattern to the server device, wherein the server device performs the comparison.
  - 11. The method of claim 9, wherein comparing the prototype pattern to the pattern further comprises sending the prototype pattern to the client device, wherein the client device performs the comparison.
  - 12. The method of claim 9, wherein the integrity determination further comprises:
    - extracting from the software component a sample size matrix;
      
      determining a quadratic matrix by multiplying the sample size matrix with a transpose of the sample size matrix;
      
      performing a random selection of arithmetic matrix operations between the quadratic matrix and the key matrix, the result being one of the prototype pattern or the pattern.

13. A system of detecting a modification of a software component, comprising:
- a server device, that is configured to perform actions, comprising;
  
  determining a data preparation set of parameters (DPS), wherein the DPS is, at least in part, randomly selected, and is further determined based, in part, on a desired security level, the DPS including a key matrix;
  
  determining a prototype pattern based on the DPS for a copy of the software component, wherein the determination comprises performing a randomly selected matrix operation on at least a portion of the copy of the software component; and
  
  sending at least the DPS to a client device; and
  
  the client device, that is in communication with the server device, and is configured to perform actions, comprising;
  
  receiving at least the DPS; and
  
  determining a pattern based on the received DPS for the software component, wherein the determination comprises performing the randomly selected matrix operation on at least a portion of the software component.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the DPS further comprises a sequence of arithmetic matrix operations to be performed on at least a portion of the software component or copy of the software component.
  - 15. The system of claim 13, further comprising:
    - a decision engine that is configured to perform actions, comprising;
      
      receiving the prototype pattern;
      
      receiving the pattern;
      
      comparing the prototype pattern with the pattern to determine if the software component of the client device is modified; and
      
      if a modification is detected, performing a detection action.
  - 16. The system of claim 15, wherein the decision engine is configured to perform further actions, comprising:
    - algorithmically combining the pattern with another value to generate a decryption key that is based on an integrity of the software component on the client device.
  - 17. The system of claim 15, wherein the decision engine resides within at least one of the server device or the client device.

18. A server device having computer-executable components for use in detecting a modification of a software component, the components comprising:
- a transceiver for receiving and sending information;
  
  a processor, in communication with the transceiver, that includes machine instructions that cause the processor to perform operations, including;
  
  determining a data preparation set of parameters (DPS), wherein the DPS is based, at least in part, on a desired security level, the DPS including a key matrix;
  
  determining a prototype pattern based on the DPS for a copy of the software component, wherein the determination comprises performing at least one matrix operation on at least a portion of the copy of the software component;
  
  sending at least the DPS to a client device;
  
  receiving a pattern for the software component, the pattern being determined in part on the received DPS, wherein the determination comprises performing the at least one matrix operation on at least a portion of the software component;
  
  comparing the prototype pattern with the pattern to determine if the software component of the client device is modified; and
  
  if a modification is detected, performing a detection action.

19. A client device for use in detecting a modification of a software component, the client device comprising:
- a transceiver for receiving and sending information;
  
  a processor, in communication with the transceiver, that includes machine instructions that cause the processor to perform operations, including;
  
  receiving first value from a server;
  
  determining an integrity value associated with at least a portion of the software component;
  
  combining the first value with the integrity value to generate the decryption key; and
  
  if the integrity value indicates that the software component is unmodified, enabling the decryption key to decrypt content.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The client device of claim 19, wherein determining the integrity value associated with the software component further comprises determining a checksum associated with at least the portion of the software component.
  - 21. The client device of claim 19, wherein determining the integrity value associated with the software component further comprises performing a sequence of mathematical operations upon at least the portion of the software component to determine the integrity value.
  - 22. The client device of claim 19, wherein combining the first value with the integrity value further comprises performing at least one of an exclusive OR (XOR), a series of rotates on the first value or the integrity value, an add, or a subtraction.
  - 23. The client device of claim 19, wherein determining the integrity value associated with the software component further comprises determining at least one of a run-length encoding check bit, or an error correcting code (ECC) check bit for at least the portion of the software component.

24. A client device having computer-executable components for use in detecting a modification of a software component, the components comprising:
- a processor that includes machine instructions that causes the processor to perform operations, including;
  
  receiving a data preparation set of parameters (DPS), wherein the DPS includes a key matrix;
  
  receiving a first portion of a decryption key to a client device;
  
  determining an integrity pattern for the software component based in part on the received DPS; and
  
  generating the decryption key by algorithmically combining the pattern with the first portion of the decryption key, wherein the decryption key enables decryption of content if the software component is unmodified.
- View Dependent Claims (25)
- - 25. The client device of claim 24, wherein determining the integrity pattern further comprises performing randomly selected matrix operations on at least a portion of the software component to, in part, generate the integrity pattern.

26. A modulated data signal for use in detecting a modification of a software component, the modulated data signal comprising instructions that enable the computing device to perform the actions of:
- sending to a client device a data preparation set of parameters (DPS) that includes at least a key matrix;
  
  providing to the client device, a prototype pattern that is based on the DPS and a matrix operation on at least a portion of a copy of the software component, the prototype pattern indicating an integrity of the copy of the software component;
  
  enabling, at the client device, a determination of a pattern for the software component, the pattern being based in part on the received DPS and the matrix operation on at least a portion of the software component, the pattern indicating an integrity of the software component;
  
  enabling the client device to compare the prototype pattern with the pattern to determine if the software component of the client device is modified; and
  
  if a modification is detected, enabling the client device to perform a detection action.
- View Dependent Claims (27)
- - 27. The modulated data signal of claim 26, wherein the matrix operation further comprises a random selected matrix operation from at least one of a matrix add, matrix subtract, and a matrix multiply operation.

28. A client device for use in detecting a modification of a software component, comprising:
- means for receiving a first value associated with content;
  
  means for determining an integrity value associated with the software component;
  
  means for combining the first value with the integrity value to generate a decryption key; and
  
  if the integrity value indicates that the software component is unmodified, means for decrypting content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Widevine Technologies Incorporated (Alphabet Inc.)
Inventors
Morten, Glenn, Zhuk, Oscar, Veres, James

Application Number

US11/232,471
Publication Number

US 20070067643A1
Time in Patent Office

Days
Field of Search
US Class Current

713/187
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

System and method for software tamper detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for software tamper detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links